1 / 25

Access Control and Semantic Web Technologies Ravi Sandhu Executive Director and Endowed Chair

Access Control and Semantic Web Technologies Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University of Texas at San Antonio April 2008. Theme. Access control has always had to adjust as new Information Technologies came into play Operating systems

caesar
Download Presentation

Access Control and Semantic Web Technologies Ravi Sandhu Executive Director and Endowed Chair

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Control and Semantic Web Technologies Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University of Texas at San Antonio April 2008

  2. Theme • Access control has always had to adjust as new Information Technologies came into play • Operating systems • Relational DBMSs • Object oriented systems • XML: XACML, XRML • Therefore, semantic web technologies will also require a change in access control • But in the meantime access control itself has evolved • DAC and MAC • RBAC • Trust Management, Obligations, Attribute-based access control • Policy languages • Usage control • So semantic web technologies may also need to change to accommodate some of these developments

  3. Theme • Security itself has fundamentally changed Enterprise security Multi-party security Black-and-white security Gray security Limited points of access Access anytime anywhere Engage with one service at a time Engage with multiple services concurrently

  4. Models versus Policy Languages • Access control models • Built on abstractions • Incomplete • Testable for conformance • Guidance for security architects • DAC, MAC, RBAC, UCON • Policy languages • Specify what authorizations apply under various circumstances • Industry standard: XACML • Academic implementation oriented: Ponder • Several theoretical languages • Semantic web: Kaos, Rei, Rein, KAoS • Need synergy between these two streams of research • Models provide a framework but are necessarily incomplete • Languages by themselves provide no guidance or framework

  5. Partners in Crime Proceedings ACM Symposium on Access Control Models and Technologies (SACMAT), 2008, to appear

  6. NIST RBAC Standard Model

  7. NIST RBAC Standard Model

  8. NIST RBAC Standard RBAC

  9. US Persons Role Hierarchy

  10. ROWLBAC: 2 Approaches

  11. Common Elements

  12. Roles as Classes: Role Hierarchies

  13. Roles as Classes: SSD, DSD

  14. Roles as Classes: Role-Permission

  15. Roles as Classes: Enforcing DSD

  16. Roles as Values

  17. Roles as Values: Hierarchical Roles

  18. Roles as Values: SSD, DSD

  19. Roles as Values: Role Permissions

  20. Roles as Values: Enforcing RBAC

  21. ROWLBAC: 2 Approaches

  22. The UCON Model • unified model integrating • authorization • obligation • conditions • and incorporating • continuity of decisions • mutability of attributes

  23. UCON Extensions • UCON future obligations • UCON system obligations

  24. Unifying Policy Framework

  25. Unifying Policy Framework

More Related